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Data sharing can bring important benefits to organisations, citizens and 
consumers, making our lives easier and helping to deliver efficient 
services. It is important, however, that organisations who share personal 
data have high data protection standards, sharing data in ways that are 
fair, transparent and accountable. We also want controllers to be 
confident when dealing with data sharing matters so individuals can be 
confident their data has been shared securely and responsibly. 


As required by the Data Protection 2018, we are working on updating our 
data sharing code of practice, which was published in 2011. The updated 
code will explain and advise on changes to data protection legislation 
where these changes are relevant to data sharing. It will address many 
aspects of the new legislation including transparency, lawful bases for 
processing, the new accountability principle and the requirement to record 
processing activities. 


The updated data sharing code of practice will continue to provide 
practical guidance in relation to data sharing and will promote good 
practice in the sharing of personal data. In the first instance we will 
address the impact of the changes in data protection legislation on data 
sharing and will then move on to developing further case studies. Our 
intention is that, as well as legislative changes, the code will also deal 
with technical and other developments that have had an impact on data 
sharing since the publication of the last code in 2011. 


Before preparation of the code the Information Commissioner must 
consult with the Secretary of State. She is also seeking input from trade 
associations, data subjects and those representing the interests of data 
subjects. This call for views is the first stage of the consultation process. 
We will use the responses we receive to inform our work in developing the 
updated code. 


You can email your response to CentralGovernment@ICO.org.uk 


Or print and post to: 


Data Sharing Code Call for Evidence 
Central Government Department 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the call for evidence, please email 
the Central Government team. 


Please send us your views by 10 September 2018. 


Privacy statement 


For this call for evidence we will publish responses received from 
organisations but will remove any personal data before publication. We 
will not publish responses from individuals. For more information about 
what we do with personal data please see our privacy notice. 


Questions 


Ql We intend to revise the code to address the impact of changes in 
data protection legislation, where these changes are relevant to 
data sharing. What changes to the data protection legislation do 
you think we should focus on when updating the code? 


1. Lawful Processing 


Consent has been subject to change under the latest legislation and 
latest guidance suggests alternative lawful basis for processing 
should be applied where possible. We have noted that this change 
has led to some confusion about applying alternative conditions, in 
some cases key data sharing has stopped because of this issue. 


2. Accountability 


3. Anonymisation and Pseudonymisation 


Pseudonymisation was a concept brought about by the new 
legislation so the security sections of the code do not reference this 
security measure. Anonymisation is referenced in the 2011 code but 
it appears to suggest if data is statistical or anonymised the code 
doesn’t apply. Recent guidance (Working Party 29) suggests that to 
achieve true anonymization is very challenging so the code may 
need to be updated with this in mind; technology has obviously 
advanced since 2011. 


. DPIA Requirements 


As a legal requirement, where and when a DPIA needs to be carried 
out is now vitally important. 


. Legal Obligations of Data Processors 


The 2011 code assumes that Data Processors (DPs) have no legal 
obligations which has changed under the latest legislation so 
changes to the code need to reflect that. It would also be helpful to 
have examples of how the DP and Data Controller (DC) works as 
well as DC to DC and where the risks and responsibilities lie. 


Q2 Apart from recent changes to data protection legislation, are there 
other developments that are having an impact on your 
organisation’s data sharing practice that you would like us to 
address in the updated code? 


Yes 


No 


E 


Q3 If yes (please specify) 


he most recent guidance that consent as a condition for processing 
should only be relied upon if no other conditions apply has caused many 
bodies and organisations to move away from relying on consent. 
However, whilst it is generally accepted that consent may not be the most 
appropriate condition, it is often not known what alternative condition is 
most appropriate. 


ithout a clear steer as to which condition is most appropriate, 


organisations are determining themselves the most appropriate condition 
o apply and there are instances where the same types of organisations 
have applied different conditions to the same type of data sharing. This 
an only be confusing for data subjects as the basis for which their 
personal data is shared may be different depending on which organisation 


they use in the same sector, for the same processing. For example in the 
healthcare industry special category data is shared without consent under 
Article 9h for medical purposes but issues have been raised about sharing 
for research requirements and/or national registries/audits where there is 
no regulatory requirement. 


If the code could address in more detail how to apply different conditions 
to data sharing, with examples and the kinds of processing that may be 
covered under different conditions, this might give some consistent 
guidance for organisations to apply. Currently the 2011 code does 


mention that consent may not always be the most appropriate condition 
but this is only covered in one sentence. Some of the more common 
alternative conditions are explained, but more detail around electing the 
most suitable condition and emphasising the importance of getting a clear 
basis for your data sharing (including any contractual requirements) 
would be helpful. Ideally this would also be linked into the accountability 
and transparency requirements as well as the common law duty of 
confidentiality. An added complication is where in certain circumstance 
data subjects have the right to opt out regardless of whether consent is 
required. 


Q4 Does the 2011 data sharing code of practice strike the right 
balance between recognising the benefits of sharing personal data 
and the need to protect it? Please give details. 


Yes 


No 


B 


Q5 If yes in what ways does it achieve this? 


Q6 If no, in what ways does it fail to strike the right balance? 


Section 4 -Data sharing and the law covers considerations that may 
prevent data sharing but there isn’t any reference to positive 
considerations here. They may also be compelling reasons to be sharing 
personal data that outweigh any risks or constraints. 


The factors affecting data sharing are often referred to as ‘issues’ or 
‘restrictions’ and in some instances this is accurate but sometimes they 
are just considerations or factors to take into account. Reference to 


‘issues’ or ‘restrictions’ may elicit the idea that data sharing is something 
to be prevented or is negative. If personal data is shared properly and 
within compliance of the DPA it can be incredibly positive and I am not 
sure in the examples, case studies or the paragraphs of the code, this is 
necessarily made clear. In the healthcare sector data sharing can improve 
patient safety and even improve healthcare and advancements in 
healthcare more generally. We have suggested in our answers to 
questions below how we think this balance can be evened out. 


Q7 What types of data sharing (eg systematic, routine sharing or 
exceptional, ad hoc requests) are covered in too much detail in the 
2011 code? 


1. Public Authorities Governance 


Pages 11-12 covers the powers of public authorities in quite a lot of 
detail. This could be quite confusing to private sector organisations 
as it appears quite restrictive. 


» Human Rights 


Page 13 covers Human Rights. Whilst we agree that there is a link 
between data sharing and human rights, we are not sure if it needs 
to go into that level of detail. We believe it would be more beneficial 
to go into further detail on the issues associated with sharing data 
between private and public organisations or those third sector 
organisations carrying out a public function (please see further 
detail in response to Q8). 


Q8 What types of data sharing (eg systematic, routine sharing or 
exceptional, ad hoc requests) are not covered in enough detail in 
the 2011 code? 


Q9 


Q10 


. Sharing with Subsidiaries 


For organisations who have subsidiaries or group companies, it 
refers to data sharing internally but explicit reference to separate 
companies within the same group isn’t covered. 


. Sharing with Public Authorities 


On page 12 public sector organisations are covered then private 
sector organisations are covered. There is a very brief reference to 
potential issues with data sharing between private and public sector 
but it doesn’t go into any detail. The code goes onto briefly mention 
there being potential issues for third sector organisations carrying 
out public functions, but again no further detail. It would be useful 
to have examples and further detail about the sorts of issues that 
organisations may need to consider. 


Is the 2011 code relevant to the types of data sharing your 
organisation is involved in? If not, which additional areas should 
we cover? 


. Risks to NOT sharing personal data 


Sometimes there is actually a risk to not sharing personal data, not 
only in the healthcare sector but across other industries as well; 
social services and the police are more obvious examples. 


The updated code could focus more on not only positive 
considerations and factors, but also the risks and issues that 
organisations may need to consider if personal data isn’t shared. 
We have experienced third party clinicians or organisations who 
have used the GDPR as a barrier to not share personal data with us 
that we have needed. Thankfully none of the information has been 
needed in an emergency situation but we are concerned that this 
could easily occur. 


Please provide details of any case studies or data sharing scenarios 
that you would like to see included in the updated code? 


. Applying Exemptions 


On page 54 there is a case study involving two health authorities 
however, a more common example we see is that public health 


trusts will approach a private healthcare provider for information 
under the crime and taxation exemption and it will be a request for 
a one off sharing of personal data i.e. the Local Counter Fraud 


Specialist for a NHS trust would approach a private hospital 
requesting the dates and times someone worked at the hospital as 
they suspected their employee was working whilst claiming sick 
pay. The LCFS would quote the crime and taxation exemption and 
the hospital would consider whether data could be shared under this 
exemption. It would be useful to have a case study that covered an 
organisation exploring an exemption such as this, even if it wasn’t 
in the healthcare sector. 


. Considering lawful basis for processing 


All private healthcare providers are required to share information 
with PHIN (Private Healthcare Information Network) and there are 
other bodies e.g. the National Joint Registry where data sharing is 
encouraged to improve healthcare. Submission of information to 
these bodies is not always mandatory for private patient’s data so 
we are required to explore alternative conditions for processing. It 
would be useful to see a case study exploring and applying different 
conditions for processing. As mentioned in previous answers the 
factors to take into account and how to apply and justify different 
conditions is causing some issues across the industry. Currently 
there is no consistent approach across the industry and therefore 
data is being withheld for lack of certainty. 


Is there anything the 2011 code does not cover that you think it 
should? Please provide details. 


Examples of data sharing being positive 

Risks of not sharing personal data 

More examples throughout the code generally 

Data sharing between subsidiaries and group companies 
Where DPIA and LIAs should be considered by organisations 


The potential issues of data sharing between the private and public 
sector 


More information on accountability and transparency 


Guidance on applying the appropriate lawful basis for processing - 
including research and statistics. 


Examples of how the lawful basis links to transparency and 
accountability as well as confidentiality 


Q12 In what other ways do you think the 2011 code could be 
improved? 


1. Less detail for ‘generic’ sections 


Page 32 covers individual’s rights. As there are separate codes on 
individual’s rights and this is also covered in the section of the code on 
Data Sharing Agreements, this might be covered in too much detail. 


Page 36 covers ICO powers and penalties. Page 38 covers notification. 
These sections are not specific to data sharing or this code so this 
information could be found by linking out to a document or code 
covering this information or a pared down reference included in the 
code. 


Page 39 covers FOI which isn’t applicable to all organisations. The 
important point with regards to data sharing and FOI is, if a private 
section organisation is sharing personal data with a public authority 
FOI may apply to that personal data. We are not sure if it needs any 
more information than that included as there are separate codes and 
guidance on FOIA more generally. 


2. ‘Governance’ incorporated into the code 


Governance is covered in a separate section on page 26. We believe 
the code could be improved if most of those requirements and 


considerations were weaved into the code e.g. DPIA and the 
requirement to have a DPIA should be included in sections that are 
talking about considering individual’s rights, such as section 5 ‘deciding 
to share personal data’. Within this section it would be a logical place 
to refer to DPIAs and that being something organisations need to 
consider. 


3. More Examples 


There are case studies at the end of the code and some examples 
weaved into the code but to give the code a more practical connect for 
organisations more examples would be useful. One example is at the 
bottom of page 18 the section is considering how to communication 
with individuals about data sharing and the signposting of privacy 
notices. The factors or variables that might require active 
communication of the privacy notice are included but a practical 
example would be really useful. Equally at the bottom of page 12 
organisations are advised to review their articles or similar to make 
sure no restrictions would prevent data sharing. Examples of what 
those might look like or common restrictions would be really helpful for 


that point. In the same section the code considers issues that third 
sector bodies that are carrying out public sector functions. Examples of 
what sorts of issues they may face would be helpful here and also 
examples of issues that may present themselves when sharing 
personal data with a public body. A similar approach to the WP29 
schedule of examples would be beneficial. 


4. Clearer Guidance on Emergency Data Sharing 


Clearer guidance on whether the relevant sections apply to 
emergency data sharing or not (it isn’t always clear). 


About you: 


Ww 


Are you answering these questions as? 
A public sector worker 

A private sector worker 

A third or voluntary sector worker 

A member of the public 

A representative of a trade association 
A data subject 

An ICO employee 

Other 
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Q14 If other please specify: 


Q15 Please provide more information about the type of organisation 
you work for, ie a bank, a housing association, a school. 


Private Healthcare Provider 
Fitness & Wellbeing Provider 


Q16 We may want to contact you about some of the points you have 
raised. If you are happy for us to do this please provide your email 
address: 


Oe 


Thank you for taking the time to share your views and experience. 


